NFSv4 Kerberizado sem criar novos princípios de serviço

1

Eu preciso implantar o NFSv4 com autenticação Kerberos em um ambiente existente do AD, no entanto, isso deve ser feito sem fazer nenhuma alteração no KDC ...

Então imaginei que precisaria reutilizar as credenciais do host para autenticar os servidores. No entanto, não parece estar funcionando e eu simplesmente não consigo descobrir o porquê.

Estou trabalhando com o CentOS 6. Estamos usando o Kerberos + LDAP com vários outros serviços (SSH via PAM, OpenAFS, ...).

Por uma questão de simplicidade, a mesma máquina desempenha o papel tanto do cliente quanto do servidor por enquanto.

Então, minha configuração parece:

/ etc / sysconfig / nfs:

SECURE_NFS="yes"
RPCGSSDARGS="-vvvvvvv"
RPCSVCGSSDARGS="-n -vvvvv -rrrrr -iiiiii"

A parte importante aqui é a opção "-n" passada para rpc.svcgssd (na página manpage: "Use as credenciais padrão do sistema (host / FQDN @ REALM) em vez do padrão nfs / FQDN @ REALM.")

No /etc/idmapd.conf eu tenho:

[General]
Verbosity = 3
Domain = mycompany.com


[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]

Method = nsswitch

No /etc/krb5.conf eu peguei:

[libdefaults]
 default_realm = MYCOMPANY.COM
 ticket_lifetime = 25h
 renew_lifetime = 120h
 forwardable = true
 proxiable = true
 default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 allow_weak_crypto = true
 chpw_prompt = true

[realms]
 MYCOMPANY.COM = {
  default_domain = mycompany.com
  kpasswd_server = dc.mycompany.com
  admin_server = dc.mycompany.com
  kdc = dc.mycompany.com

  v4_name_convert = {
     host = {
         rcmd = host
     }
  }
 }
[domain_realm]
 .mycompany.com = MYCOMPANY.COM
[appdefaults]
   pkinit_pool =  DIR:/etc/pki/tls/certs/
   pkinit_anchors = DIR:/etc/pki/tls/certs/
 pam = {
   external = true
   krb4_convert =  false 
   krb4_convert_524 =  false 
   krb4_use_as_req =  false 
   ticket_lifetime = 25h
   use_shmem = sshd
 }

Em / etc / exports:

/exports *(rw,async,no_root_squash,insecure,no_subtree_check,fsid=0,sec=krb5)
/exports/data *(rw,async,no_root_squash,insecure,no_subtree_check,nohide,sec=krb5)

Agora, se eu tentar montar esse compartilhamento NFS executando

mount -vvvv -t nfs4 -o rw,sec=krb5 nfs-srv-1:/ /mnt

como root, eu tenho:

mount: fstab path: "/etc/fstab"
mount: mtab path:  "/etc/mtab"
mount: lock path:  "/etc/mtab~"
mount: temp path:  "/etc/mtab.tmp"
mount: UID:        0
mount: eUID:       0
mount: spec:  "nfs-srv-1:/"
mount: node:  "/mnt"
mount: types: "nfs4"
mount: opts:  "rw,sec=krb5"
final mount options: 'sec=krb5'
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "nfs-srv-1:/"
mount: external mount: argv[2] = "/mnt"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Thu Sep  3 15:19:19 2015
mount.nfs4: trying text-based options 'sec=krb5,addr=xxx.xxx.xx.xxx,clientaddr=xxx.xxx.xx.xxx'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfs-srv-1:/

e nos registros:

Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b)
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b)
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: process_krb5_upcall: service is '<null>'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/[email protected] while getting keytab entry for 'nfs/[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0)
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server [email protected]
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/[email protected] while getting keytab entry for 'nfs/[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0)
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server [email protected]
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with any credentials cache for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: doing error downcall
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8c
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8b

Conteúdo do cache do ticket (para uma execução posterior, ignore os timestamps pls ...):

Ticket cache: FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Default principal: host/[email protected]

Valid starting     Expires            Service principal
09/04/15 10:34:34  09/05/15 11:34:34  krbtgt/[email protected]
    renew until 09/09/15 10:34:34

Parece que ele encontra minhas credenciais de host, mas falha ao inicializar o contexto do Kerberos 5. Eu não tenho ideia do que fazer com isso, você poderia me ajudar?

Deixe-me saber se você precisar de mais detalhes.

Agradecemos antecipadamente.

    
por dgyuri92 03.09.2015 / 15:28

0 respostas